Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-761 (释放一个不在缓冲区起始位置的指针) — Vulnerability Class 1

1 vulnerabilities classified as CWE-761 (释放一个不在缓冲区起始位置的指针). AI Chinese analysis included.

CWE-761 represents a critical memory management weakness where software attempts to deallocate heap memory using a pointer that does not reference the beginning of the allocated buffer. This error typically arises when developers manipulate pointers, such as incrementing them to traverse data structures, and subsequently pass the modified address to the free function. Exploitation of this flaw can lead to immediate application crashes, heap corruption, or the modification of critical program variables, potentially enabling arbitrary code execution if the memory allocator’s internal state is compromised. To prevent this vulnerability, developers must ensure that only the original base pointers returned by allocation functions like malloc are passed to free. Implementing strict pointer tracking mechanisms and avoiding arithmetic operations on allocation pointers before deallocation are essential practices for maintaining memory integrity and preventing heap-based exploits.

MITRE CWE Description
The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. This can cause the product to crash, or in some cases, modify critical program variables or execute code. This weakness often occurs when the memory is allocated explicitly on the heap with one of the malloc() family functions and free() is called, but pointer arithmetic has caused the pointer to be in the interior or end of the buffer.
Common Consequences (1)
Integrity, Availability, ConfidentialityModify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands
Mitigations (4)
ImplementationWhen utilizing pointer arithmetic to traverse a buffer, use a separate variable to track progress through memory and preserve the originally allocated address for later freeing.
ImplementationWhen programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.
Architecture and DesignUse a language that provides abstractions for memory allocation and deallocation.
Examples (2)
In this example, the programmer dynamically allocates a buffer to hold a string and then searches for a specific character. After completing the search, the programmer attempts to release the allocated memory and return SUCCESS or FAILURE to the caller. Note: for simplification, this example uses a hard-coded "Search Me!" string and a constant string length of 20.
#define SUCCESS (1) #define FAILURE (0) int contains_char(char c){ char *str; str = (char*)malloc(20*sizeof(char)); strcpy(str, "Search Me!"); while( *str != NULL){ if( *str == c ){ /* matched char, free string and return success */ free(str); return SUCCESS; } /* didn't match yet, increment pointer and try next char */ str = str + 1; } /* we did not match the char in the string, free mem and return failure */ free(str); return FAILURE; }
Bad · C
#define SUCCESS (1) #define FAILURE (0) int cointains_char(char c){ char *str; int i = 0; str = (char*)malloc(20*sizeof(char)); strcpy(str, "Search Me!"); while( i < strlen(str) ){ if( str[i] == c ){ /* matched char, free string and return success */ free(str); return SUCCESS; } /* didn't match yet, increment pointer and try next char */ i = i + 1; } /* we did not match the char in the string, free mem and return failure */ free(str); return FAILURE; }
Good · C
This code attempts to tokenize a string and place it into an array using the strsep function, which inserts a \0 byte in place of whitespace or a tab character. After finishing the loop, each string in the AP array points to a location within the input string.
char **ap, *argv[10], *inputstring; for (ap = argv; (*ap = strsep(&inputstring, " \t")) != NULL;) if (**ap != '\0') if (++ap >= &argv[10]) break; /.../ free(ap[4]);
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-47749 Fuji Electric V-SFT 安全漏洞 — V-SFT 7.8 High2025-05-19

Vulnerabilities classified as CWE-761 (释放一个不在缓冲区起始位置的指针) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.